Quote Originally Posted by Virchanza View Post
A friend of mine is in control of a small computer room at a school, consisting of about 30 or so computers.

A typical computer in the room has the following setup:
IP address: 192.168.0.5
Netmask: 255.255.255.0
Default Gateway: NONE SPECIFIED
Proxy Server for Web Browser: 192.168.0.1

The purpose of the proxy server is to filter out "inappropriate" content (it might do some website caching as well, I'm not sure).

Anyway, I have a quick question. I realise there's a such thing as "transparent proxy servers". If the main server computer was set up as a "transparent" proxy server, then each computer in the room could be set up like as follows:

IP address: 192.168.0.5
Netmask: 255.255.255.0
Default Gateway: 192.168.0.1
Proxy Server for Web Browser: NONE SPECIFIED

I find this setup much more natural. I don't like non-transparent proxy servers because I find it a nuisance to have to enter proxy server information into all my programs that use the internet. Plus I don't like anything that interfers with the simplicity of the TCP/IP stack.

However, before I go and tell my friend to switch to "transparent proxy", is there any reason not to? Are there any benefits in having a non-transparent proxy server? I can't think off-hand of any benefits in keeping things the way they are, but I just want to be doubly sure before I tell him to change it.
Code:
http://isc.sans.org/diary.html?storyid=1537
Not having a default route in the router network is a great way to minimise the impact of malware on the corporate environment. This practice enforces that gateways are used for all external communications.

Advantages

1. Enforces the use of proxy gateways for external communications.
2. Malicious packets can be dropped or sent to a centralised server for analysis.
3. Reduces the potential impact of misconfigured software through enforcing no internet connectivity.
4. Makes malware infection easy to spot (if analysing all dropped packets).

I'd recommend implementing this with a split DNS to increase the difficulty of malware "phoning home" as the internal network cannot resolve external addresses. The DNS server could be configured to log all unresolved addresses for further malware indication.

Note that the above tip does not ask you to remove the default route off your end systems (user workstations) - chances are that many services needed in a corporate environment (like financial news feeds) will need to have a default route on the workstation. But if, in your network core, you can get away with only advertising and routing those external networks that are actually needed, you have made a huge step to secure your network. As indicated above, the newly un-used "default route" should then be made to point to a "darknet" where you have nothing except logging and packet collection capability.